Implementing DirectAccess with Windows 10 by David Papkin

This post by David Papkin is about implementing DirectAccess with Windows 10

As a role service of the Remote Access server role, DirectAccess is a feature that allows connectivity to organization network resources without the need for traditional Virtual Private Network (VPN) connections. With DirectAccess, client computers are always connected to your organization – there is no need for remote users to start and stop connections, as is required with VPN connections. In addition, your IT administrators can manage DirectAccess client computers whenever they are running and Internet connected.

Windows 10 absolutely contains DirectAccess and all of the components to utilize it, just like Windows 8 and 8.1. Also just like Windows 8.x, the only SKU in Windows 10 that will contain the DirectAccess components is Enterprise, so you must be running that version on your client machines in order to utilize DirectAccess.nts

Windows 10 DirectAccess Clients include native support for geographic redundancy and transparent entry point failover.

As organizations increasingly rely on their DirectAccess deployments for remote worker productivity, ensuring that the solution is highly available is of paramount importance. DirectAccess can be configured to provide geographic redundancy, allowing administrators to place DirectAccess entry points in multiple physical locations. However, Windows 7 clients don’t support this feature and must be assigned to a single entry point. Windows 10 clients fully support geographic redundancy and transparent site fail over and will automatically select the nearest entry point to connect to. If that entry point becomes unavailable, the client will transparently fail over to one of the other remaining entry point

Traditionally the IP-HTTPS IPv6 transition protocol was considered the protocol of “last resort” for DirectAccess connections because Windows 7 clients would encrypt DirectAccess traffic using SSL/TLS. This introduced high protocol overhead as the DirectAccess traffic is already encrypted using IPsec. As a result, performance and scalability was negatively affected for organizations supporting a large number of Windows 7 clients. Windows 10 includes support for null encryption for IP-HTTPS connections, which greatly improves scalability and performance by eliminating this needless additional layer of encryption. This results in a better end user experience and a single DirectAccess server can support many more Windows 10 clients as compared to Windows 7.

For Windows 7, DirectAccess was a bit of an afterthought. As a result, the operating system lacks any native visual indicator for DirectAccess connectivity status. The client is left to assume that DirectAccess is working, or to simply attempt to connect to corporate resources to see if they are reachable. To address this shortcoming, Microsoft released the DirectAccess Connectivity Assistant (DCA) which is an optional component that can be deployed on Windows 7 clients to provide DirectAccess connectivity status. Windows 10 includes native graphical support for DirectAccess including an intuitive status indicator for DirectAccess connectivity status. This eliminates the need to deploy, manage, and maintain additional software for monitoring DirectAccess connectivity on the client.

Typically, once DirectAccess is installed and configured, it really is a “set-it-and-forget-it” solution. Once it works, it usually just continues to work. However, there are times when it doesn’t, and Windows 7 sorely lacks any helpful troubleshooting tools on the client side. In contrast, Windows 10 includes full support for DirectAccess configuration and troubleshooting with PowerShell. Windows 10 clients include numerous native PowerShell cmdlets to perform essential DirectAccess parameter evaluation, configuration review, and connectivity testing. Troubleshooting client-side DirectAccess on Windows 10 clients is infinitely easier than it is on Windows 7.

Windows 10 DirectAccess clients may not require a Public Key Infrastructure (PKI).

Windows 7 DirectAccess clients require computer certificates be issued from an existing internal private PKI for all deployment scenarios. Although this is a very secure way to configure DirectAccess, for smaller deployments with less stringent security requirements it adds significant burden both in terms of management and performance. For some deployment scenarios, Windows 10 clients can support DirectAccess configuration using Kerberos Proxy, which eliminates the requirement for PKI and PKI-managed computer certificates. This reduces the management overhead of a full PKI implementation to support DirectAccess. It also reduces the amount of work the DirectAccess server has to perform, improving performance and scalability by reducing resource consumption on the DirectAccess server.

If you’ve already deployed DirectAccess and are supporting Windows 7 clients, there are many more features you’ll be able to take advantage of, when you get to Windows 10. Fully supported geographic redundancy with transparent site failover is sure to make many administrators very happy. Performance and scalability will improve, and the folks on the helpdesk will be much happier with built-in configuration and troubleshooting tools at their disposal. Users will appreciate having the native connectivity status indicator available to confirm corporate network connectivity, and network architects can now take advantage of new deployment scenarios made possible by Windows 10, that will reduce the complexity of the overall solution.

This video demo by David Papkin shows Implementing DirectAccess with Windows 10